Does this PHP code provide a website for SQL Injection?

Question

Does this PHP code provide a website for SQL Injection?

I am working on a web application and I came across this piece of code

$email=$_POST['email'];
$pass=$_POST['pass'];
$pass=md5($pass);
$query=mysql_real_escape_string($email,$link);
//echo $query."<br>";
$sql=mysql_query("SELECT pass FROM users WHERE email='".$email."'",$link);
if($row=mysql_fetch_array($sql))
{

I think the programmer intended to $query=mysql_real_escape_string($email,$link);be$email=mysql_real_escape_string($email,$link);

Do I have a correct idea?

+3

security sql php sql injection

Casey flynn May 23 '11 at 16:24

source share

3 answers

, $email , , . , , .

+2

Tom Gullen 23 '11 16:25

to prevent blind SQL, wrap your POST data by towing additional filters:

$email = mysql_real_escape_string(strip_tags(stripslashes($email)), $link)

+1

MBarsi May 23 '11 at 16:46

source share

︁ · Accepted Answer · 2011-05-23T16:27:03+0000

Yes, you are absolutely right - just correct this part, as you said, changing it to

 $email = mysql_real_escape_string($email, $link);

and it will protect against SQL injection there.

On the side of the note, I suggest using hash("sha512", xxx)instead md5, because MD5 is becoming obsolete. If your column size does not allow this, although you do not have the ability to change it, it is still OK.

Does this PHP code provide a website for SQL Injection?

More articles: